As with any system there may arise a situation in which the root login has been misplaced or forgotten. The below process will show you how to reset the password for root back to a blank password. This is not supported by VMware and you might consider running a repair install of ESXi instead of this process. A repair install will overwrite the system partitions of an ESXi install but preserve any VMFS datastores. After a repair install one can add the existing VMs back to inventory by browsing the datastore, right clicking on VMX files and selecting Add to Inventory. Note that changing the password of root back to blank will prevent the mounting of any NFS datastores as these depend on the root login to authenticate with the NFS server.

This process does require some sort of physical access to the host as it will require booting it with an alternate OS. In the below example I used the Slax Linux Live CD. Please note that I tested this process on a test server with no VMs. It was basically a fresh install on which I changed the root password and created another login. I then used this process to reset the password of root and rebooted the host. After the reboot I could login with no password for root and the other account worked fine as well. While I think this is a relatively safe process, if I were doing this on a live system I would ensure that I had backups of the VMs and if possible a configuration backup for ESXi.

If you do want to want to retrieve the root or other password password, you can use the initial steps to retrieve a copy of the shadow file. Then use a tool like john the ripper (jtr) to crack the password. If a common word / pass phase was used for the password and you use a extensive password list with jtr then you may be able to retrieve the password in a fairly short time frame

1) The below image was taken from the console of the ESXi host and the output of cat /etc/shadow shows the encrypted password for the root login. You may wish to record the password hash should you wish to reverse this change.

2) After the host was shut down, I booted up with the Linux live CD. I then ran the commands fdisk -l and ls -l /mnt/sda5/ / ls -l /mnt/sda6/ to determine the location of the most recent state.tgz file. Note that if you're using ESXi Embedded then you may only see local.tgz instead of state.tgz and you should then copy and recreate that file. In my below example, ESXi was a fresh install so /sda6 has no files but boot.cfg. When booting ESXi on this host, /sda5 would be mounted as /bootbank and /sda6 as /altbootbank.

3) After determining where the most recent state.tgz file was located, this was copied to /tmp. gzip and tar were then used to extract local.tgz from state.tgz. If you're using ESXi Embedded then you will copy local.tgz to tmp and run gzip and tar on that file. Once local.tar was extracted the cd etc command was run followed by vi shadow.

4) The below two images show the shadow file before and after editing. Essentially you'll want to have the root entry as root::13358:0:99999:7::: . Once you have removed the password hash, press ESC and to save the change type in :wq and press Enter. You can run cat shadow to confirm that the change was saved successfully.

5) Once the shadow file has been updated, you'll use cd .. to go back to /tmp and then run tar -czvf local.tgz etc to create the local.tgz file. If you're using ESXi Embedded then you'll copy this file to the drive where it came from in step 3. Otherwise you'll run tar -czvf state.tgz local.tgz to create state.tgz which should then be copied to the correct location. In the below image you'll notice that I don't always use the -v option with the tar command. This option displays a list of all files being processed by the command and would have resulted in larger screen output. It is entirely optional for this process, but can provide a good check to see if the right files are being processed. When running tar to extract the local file, a large number of files will be processed. I've also used the ls -l command a few times in the below image. This was done to ensure that the file copied correctly.

6) Once the file has been copied back to the /bootbank partition the host can be rebooted back into ESXi. You'll be able to login with the root account with no password and will be greeted with the familiar message to change the root password.